5:35pm, 24 Sep 2020

TLP Rating: White

Critical Windows Authentication Vulnerability in Netlogon

Update 24 September: Microsoft has reported this vulnerability is now being exploited by attackers. Any organisations that haven't yet applied August 2020 security updates for Microsoft Windows Server should apply these updates as soon as possible.

A misconfiguration in the cryptographic protocol used in Windows’ Netlogon Remote Protocol (CVE-2020-1472) allows an unprivileged network user to set any machine account password to a blank zero-length password, including the Domain Controller machine account itself. Leveraging this would allow full compromise of the Domain Controller.

At least one proof of concept has been released publicly, and so potential for active exploitation exists. Applying the August 2020 updates from Microsoft should be carried out as a high priority, if they have not already been applied to your systems. Windows Domain Controllers should be the highest priority systems to apply updates to.